anysec commands

configure 
anysec 
apply-groups reference
apply-groups-exclude reference
mka-over-ip 
mka-udp-port number
reserved-label-block reference
tunnel-encryption 
encryption-group named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
ca-name reference
encryption-label number
peer (ipv4-address-no-zone | ipv6-address-no-zone) 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
peer-tunnel-attributes 
flex-algo-id number
igp-instance-id number
protocol keyword
security-termination-policy reference
security-termination-policy named-item 
admin-state keyword
apply-groups reference
apply-groups-exclude reference
flex-algo-id number
igp-instance-id number
local-address (ipv4-address-no-zone | ipv6-address-no-zone)
protocol keyword
rx-must-be-encrypted boolean

anysec command descriptions

anysec

Synopsis Enter the anysec context
Context configure anysec
Treeanysec
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

mka-over-ip

Synopsis Enter the mka-over-ip context
Context configure anysec mka-over-ip
Treemka-over-ip
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

mka-udp-port number
Synopsis ANYSec MKA UDP port
Context configure anysec mka-over-ip mka-udp-port number
Treemka-udp-port

Description

This command configures the UDP port that identifies the MKA packet on the system.

Nokia recommends configuring this UDP port network wide. In addition, ensure the UDP port is not used by any other protocols in the network.

Range1024 to 49151
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

reserved-label-block reference

Synopsis ANYSec reserved label block
Context configure anysec reserved-label-block reference
Treereserved-label-block

Description

This command assigns the label block that is reserved for the ANYsec encryption SID. Without this reserved block, ANYsec cannot assign any encryption SIDs. The encryption SID uniquely identifies the encrypting node within a network and avoids double encryption scenarios. The encryption SID can be assigned per encryption group. However, all encryption groups can have the same encryption SID.

To save label space, Nokia recommends limiting the number of encryption SIDs within a network.

Reference

configure router named-item-64 mpls-labels reserved-label-block named-item-64

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

tunnel-encryption

Synopsis Enter the tunnel-encryption context
Contextconfigure anysec tunnel-encryption
Treetunnel-encryption
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

encryption-group [group-name] named-item
Synopsis Enter the encryption-group list instance
Contextconfigure anysec tunnel-encryption encryption-group named-item
Treeencryption-group

Description

Commands in this context create an encryption group.

An encryption group is a group of LSPs that use the same CA and preshared keys (PSK). For ease of PSK management, SR OS allows a group of LSPs to use the same CA with the same PSKs. The PSK is used to secure the SAK for distribution to other PEERs.

Note: Although the LSPs are unidirectional, ANYsec is a bidirectional concept where a pair of LSPs between two peers are encrypted and decrypted. Each pair of LSPs uses its own SAK for maximum security, although they may share the same CA and PSK with all other LSPs in the encryption group to secure the SAK.

Max. instances1023
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

ca-name reference
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisConnectivity association for the encryption group
Contextconfigure anysec tunnel-encryption encryption-group named-item ca-name reference
Treeca-name

Description

This command configures the CA used for this encryption group.

A CA must be configured with the keyword anysec for use in the encryption group.

Reference

configure macsec connectivity-association string

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

encryption-label number
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisLabel identifying packets sent from the node to peers
Contextconfigure anysec tunnel-encryption encryption-group named-item encryption-label number
Treeencryption-label

Description

This command creates an encryption SD for the encryption group.

The encryption SID uniquely identifies the encrypting node within a network to avoid double encryption scenarios. The encryption SID can be assigned per encryption group. However, all encryption groups can have the same encryption SID. To save label space, Nokia recommends limiting the number of encryption SIDs within a network. To configure the encryption SID, a reserved-label-block command must be configured under the anysec context. The encryption SID is programmed at the bottom of the stack with the S-it set.

Range32 to 1048575
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

peer [peer-ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Enter the peer list instance
Context configure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone)
Treepeer
Max. instances1023
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

[peer-ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis Peer IP address of the node SID
Context configure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone)
Treepeer

Description

This command configures the IPv4 or IPv6 address of the node SID of the peer that is part of this encryption group.

This configuration identifies the segment routing node SID of the peer and programs the egress label stack for matching on the FP5 for encrypting the LSP.

When the label stack is downloaded, the encryption SID is also included at the bottom of the stack with the S-bit set.

Notes

This element is part of a list key.

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

admin-state keyword
Synopsis Administrative state of the encryption group peer
Contextconfigure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone) admin-state keyword
Treeadmin-state
Optionsenable, disable
Default disable
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

peer-tunnel-attributes
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisEnter the peer-tunnel-attributes context
Contextconfigure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes
Treepeer-tunnel-attributes

Description

Commands in this context configure the peer-tunnel attributes.

Tunnel attributes are used to match and identify the outgoing tunnels for encryptoin with ANYsec. A single tunnel attribute is used for multiple peers. Since an LSP is unidirectional, the outgoing tunnel can have different attributes from the incoming tunnel (for example, security termination policy).

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

flex-algo-id number
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFlexible algorithm ID
Contextconfigure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes flex-algo-id number
Treeflex-algo-id

Description

This command configures the flexible algorithm ID. This ID must match the local terminating ANYsec tunnel.

Range128 to 255
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

igp-instance-id number
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisIGP instance ID
Contextconfigure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes igp-instance-id number
Treeigp-instance-id

Description

This command configures the IGP instance ID. This IGP instance ID must match the IGP instance that the incoming encrypted LSP was signaled on.

Range0 to 31 | 64 to 95
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

protocol keyword
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisProtocol used to advertise node SID of incoming tunnel
Contextconfigure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes protocol keyword
Treeprotocol
Optionssr-ospf, sr-ospf3, sr-isis
Defaultsr-isis
Introduced23.10.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

security-termination-policy reference
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisSecurity termination policy used by encryption group
Contextconfigure anysec tunnel-encryption encryption-group named-item security-termination-policy reference
Treesecurity-termination-policy

Reference

configure anysec tunnel-encryption security-termination-policy named-item

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

security-termination-policy [policy-name] named-item
Synopsis Enter the security-termination-policy list instance
Contextconfigure anysec tunnel-encryption security-termination-policy named-item
Treesecurity-termination-policy
Max. instances1023
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

flex-algo-id number
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisFlexible algorithm ID
Contextconfigure anysec tunnel-encryption security-termination-policy named-item flex-algo-id number
Treeflex-algo-id

Description

This command configures the flexible algorithm ID. This ID must match the local terminating ANYsec tunnel.

Range128 to 255
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

igp-instance-id number
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisIGP instance ID
Contextconfigure anysec tunnel-encryption security-termination-policy named-item igp-instance-id number
Treeigp-instance-id

Description

This command configures the IGP instance ID. This IGP instance ID must match the IGP instance that the incoming encrypted LSP was signaled on.

Range0 to 31 | 64 to 95
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

local-address (ipv4-address-no-zone | ipv6-address-no-zone)
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisLocal address of node SID associated with ANYsec tunnel
Contextconfigure anysec tunnel-encryption security-termination-policy named-item local-address (ipv4-address-no-zone | ipv6-address-no-zone)
Treelocal-address

Description

This command configures the local IPv4 or IPv6 address for the system IP or loopback node SID. This is used to program the FP5 label stack to match the incoming ANYsec tunnel and decryption of the tunnel.

Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

protocol keyword
Warning:

Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect.

SynopsisProtocol used to advertise node SID of incoming tunnel
Contextconfigure anysec tunnel-encryption security-termination-policy named-item protocol keyword
Treeprotocol
Optionssr-ospf, sr-ospf3, sr-isis
Defaultsr-isis
Introduced23.10.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se

rx-must-be-encrypted boolean
Synopsis Enforce encryption for received packets
Contextconfigure anysec tunnel-encryption security-termination-policy named-item rx-must-be-encrypted boolean
Treerx-must-be-encrypted

Description

When configured to true, the router accepts all arriving traffic that is ANYsec secured on the port. All other traffic is dropped.

When configured to false, the router accepts all arriving traffic on the port.

Defaultfalse
Introduced23.3.R1

Platforms

7750 SR-1 (FP5), 7750 SR-1se